b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Telephone Authentication Practices Need\n                      Improvements to Better Prevent\n                         Unauthorized Disclosures\n\n\n\n                                        March 31, 2010\n\n                            Reference Number: 2010-40-045\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 1 = Tax Return/Return Information\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                March 31, 2010\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n\n\n FROM:                   (for) Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Telephone Authentication Practices Need\n                              Improvements to Better Prevent Unauthorized Disclosures\n                              (Audit # 200940044)\n\n This report presents the results of our review of the authentication of taxpayers who call toll-free\n telephone numbers to determine whether current procedures to authenticate these taxpayers\n reduce the risk of unauthorized disclosure of taxpayer Personally Identifiable Information. This\n audit is a followup to two prior Treasury Inspector General for Tax Administration audits1 and\n was included in our Fiscal Year 2010 Annual Audit Plan and addresses the major management\n challenge of Providing Quality Taxpayer Service Operations.\n\n Impact on the Taxpayer\n In February 2009, the Federal Trade Commission reported that for the ninth year in a row\n identity theft was the number one consumer complaint nationwide. 2 Identity theft occurs when\n someone uses Personally Identifiable Information, such as an individual\xe2\x80\x99s name, Social Security\n Number, credit card numbers, or other account information to commit fraud and other crimes.\n Taxpayers need to be assured that the Internal Revenue Service (IRS) is taking every precaution\n to protect their private information from inadvertent disclosure. This includes, but is not limited\n to, taxpayers calling the IRS\xe2\x80\x99 toll-free telephone numbers to request account information.\n\n 1\n   Toll-Free Account Assistance to Taxpayers Is Professional and Timely, and the Quality of Information Provided\n Has Improved (Reference Number 2005-40-018, dated December 15, 2004) and Toll-Free Account Assistance to\n Taxpayers Is Professional and Timely, but Improvement Is Needed in the Information Provided (Reference\n Number 2004-40-057, dated February 27, 2004).\n 2\n   Consumer Sentinel Network Data Book for January - December 2008, Federal Trade Commission, dated\n February 2009.\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n\nSynopsis\nThe telephone continues to be one of the primary methods taxpayers use to communicate with\nthe IRS. Millions of telephone calls were made to the IRS toll-free telephone line\n(1-800-829-1040) in Fiscal Year 2009 seeking help with tax account questions. IRS guidelines\nrequire assistors to fully authenticate callers before assisting them. Two prior Treasury Inspector\nGeneral for Tax Administration audit reports identified that IRS assistors did not always comply\nwith procedures for authenticating taxpayers\xe2\x80\x99 identities.\nAssistors are not always authenticating taxpayers who call the IRS\xe2\x80\x99 toll-free telephone number\nfor tax account information. From our statistical sample of\n180 contact recordings, 3 we determined that assistors did not\n                                                                      Of 180 calls tested,\nproperly follow procedures when authenticating                    assistors increased the\n29 (16 percent) callers, increasing the risk of unauthorized         risk of unauthorized\ndisclosures.                                                            disclosures for\n                                                                                          29 calls.\n    \xe2\x80\xa2    9 assistors did not ask callers the 2 additional\n         authentication probes (high-risk questions) when the\n         situation required.\n    \xe2\x80\xa2    8 assistors did not ask callers all 5 required authentication questions.\n    \xe2\x80\xa2    7 assistors did not authenticate callers for various other reasons. For example, assistors\n         did not appropriately end the call when the caller continued to incorrectly answer probing\n         questions or the assistor was in doubt of the caller\xe2\x80\x99s identity.\n    \xe2\x80\xa2 *********************1**************************************************.\n    \xe2\x80\xa2 *******************1**************************************************\n        ********************************************************************\n        *******************************************************\nBased on these results, the projected number of callers with increased risk of unauthorized\ndisclosures is 44,067 for 1 week.\nDuring our review of 48 (27 percent) of the 180 sampled calls, we were able to hear parts of\nassistors\xe2\x80\x99 conversations with other callers. For 10 calls (6 percent) the conversations were very\nclear and for 38 calls (21 percent) other assistors\xe2\x80\x99 interactions with callers were heard, but we\ncould not clearly make out the conversations. This happened because assistors did not put callers\n\n3\n  A contact recording captures the audio portion of the assistor/taxpayer interaction on the IRS\xe2\x80\x99 toll-free telephone\nlines and is synchronized with computer screen activity for replay and quality review. Some of the recordings also\ninclude a video of the computer screen activity. These contact recordings were from calls received from individual\ntaxpayers who called the IRS\xe2\x80\x99 1-800-829-1040 line during the week ending August 14, 2009.\n                                                                                                                        2\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\non hold when they were researching the taxpayers\xe2\x80\x99 accounts. Also, the physical layout of\nworkstations at call centers allows other conversations to be overheard. For 26 calls (14 percent\nof all calls tested), assistors repeated the Social Security Number back to the caller on the\ntelephone. This puts the IRS at risk of disclosing Personally Identifiable Information.\nThe IRS has a new IRS-wide Authentication Strategy and its vision is to promote data protection\nand enable ease of access to maintain public confidence and improve customer service. The\ngoals are to enhance an IRS-wide authentication internal control framework to address risk, deter\nfraudulent access, and institutionalize a common set of principles for authenticating taxpayers\nwhen contacting the IRS.\nTaxpayers must be authenticated each time they are transferred to a different assistor to ask an\naccount question. During Fiscal Year 2009, 1,019,170 calls were transferred. The IRS has a\nfuture strategy called Authentication Retention to reduce the number of times a caller is\nauthenticated. Authentication Retention will allow caller\xe2\x80\x99s authentication information to be\nreadily available to each assistor who provides help to the caller. However, in Fiscal Year 2009,\nthe IRS decided not to fund Authentication Retention, but will reconsider it in future budget\nrequests. This initiative is expected to affect approximately 20 million callers, reduce taxpayer\nburden by more than $1 million, reduce improper disclosure errors, and save approximately\n$7 million in assistor time annually. The estimated cost for the project is $7 million.\nFor Fiscal Year 2009, the average amount of time callers waited to speak with an assistor was\napproximately 10 minutes. Authenticating callers using an automated system while they wait to\nspeak to an assistor could reduce taxpayer burden, reduce authentication errors, and increase the\nnumber of calls the IRS could answer. This is important because as the IRS answers more calls\nthe Level of Service 4 increases.\nUsing results from our statistical sample, if 50 percent of the callers were authenticated while\nwaiting to speak to an assistor, the IRS could save 136,654 minutes of assistor time, or\n2,278 hours per week. The projected 5-year (Fiscal Years 2010 through 2014) productivity gain\nfrom authenticating callers while they wait to speak with an assistor equates to 496 Full-Time\nEquivalents, 5 or approximately $30 million. During Fiscal Year 2009, the average time assistors\nspent on the telephone assisting callers was more than 11 minutes. The IRS could also increase\nproductivity by answering 1,180,306 additional calls per year because assistors would spend\napproximately 1 minute less talking with callers.\n\n\n\n\n4\n The Level of Service is the IRS\xe2\x80\x99 primary measure of providing taxpayers with access to a live assistor.\n5\n A measure of labor hours in which 1 Full-Time Equivalent is equal to 8 hours multiplied by the number of\ncompensable days in a particular fiscal year. For Fiscal Year 2009, 1 Full-Time Equivalent was equal to 2,088 staff\nhours. See Appendix IV for details.\n                                                                                                                  3\n\x0c                     Telephone Authentication Practices Need Improvements\n                           to Better Prevent Unauthorized Disclosures\n\n\n\n\nRecommendations\nWe recommended that the Commissioner, Wage and Investment Division, revise guidelines to\nrequire assistors to ask two additional high-risk probes when callers incorrectly answer the\naddress or date of birth probes. During assistor training, it should be emphasized that assistors\nare not to prematurely authenticate callers when using the Account Management Services and\nshould place callers on hold while conducting research. Assistors should be trained on the\nimportance of controlling calls and guidelines should be developed that require assistors to ask\ncallers to repeat Personally Identifiable Information if clarification is needed. Finally, the\nCommissioner should incorporate available technology to authenticate callers in the queue into\nthe development of Authentication Retention.\n\nResponse\nThe IRS agreed with two and partially agreed with one of our four recommendations. It will\nemphasize during training the proper use of hold procedures. Guidance and training will be\ndeveloped to instruct assistors to request callers repeat Personally Identifiable Information rather\nthan having the assistor repeat the information back to callers. Assistors will be trained to repeat\nonly partial information back to callers when the assistor determines it is necessary to repeat\ninformation. The IRS will also submit a technology request to incorporate available technology\nto authenticate callers prior to their reaching an assistor.\nThe IRS did not agree with our recommendation to revise guidelines to require assistors to ask\ntwo additional high-risk probes when callers incorrectly answer the address or date of birth\nprobes. The IRS considers existing guidelines sufficient and revising the guidelines is\nunnecessary. It considers that the authentication strategic approach currently under development\nwill further change the current authentication process. However, the IRS stated that while there\nis no plan at this time to require two additional high-risk probes when callers incorrectly answer\nthe address or date of birth probes, training materials will continue to emphasize that inadequate\ncaller identity authentication could result in an unauthorized disclosure.\nThe IRS also partially agreed with our recommendation to emphasize during training that\nassistors do not prematurely authenticate callers when using the Account Management Services.\nThe IRS considers the possibility of inadvertent disclosure to be remote since its review of our\nsample calls did not reveal instances of unauthorized disclosure. In addition, the use of the\nAutomated Technology Disclosure Tool is now mandatory. The IRS will update training\nmaterials to emphasize the risk of prematurely authenticating callers.\nThe IRS did not agree with our second outcome measure on the inefficient use of resources\nbecause it believes that the measure does not consider the cost to develop and operate the\n\n\n                                                                                                    4\n\x0c                    Telephone Authentication Practices Need Improvements\n                          to Better Prevent Unauthorized Disclosures\n\n\n\nAuthentication Retention system. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix VI.\n\nOffice of Audit Comment\nWe believe that requiring assistors to ask two additional high-risk probes when callers\nincorrectly answer the address or date of birth probes is warranted to reduce the risk of\nunauthorized disclosure of taxpayer information. Our review of a sample of calls showed that\nassistors are routinely asking additional high-risk questions. We believe modifying existing\nguidelines to require the additional questions would not be an unnecessary burden considering\nthe consequences of unauthorized disclosure.\nRegarding the inefficient use of resources outcome measure, we agree that there would be\nadditional costs to develop and operate the Authentication Retention system. However, these\ncosts have not been quantified and the IRS did not provide its own estimate in its response.\nNotwithstanding, we believe this outcome measure shows the degree to which the Authentication\nRetention system will improve the efficient use of existing staff resources based on the average\nvolume of calls during the stated 3-year period.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMichael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\nServices), at (202) 622-5916.\n\n\n\n\n                                                                                                5\n\x0c                           Telephone Authentication Practices Need Improvements\n                                 to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Assistors Are Not Always Authenticating Taxpayers Who Call\n          the Internal Revenue Service\xe2\x80\x99s Toll-Free Telephone Number\n          for Tax Account Information ........................................................................Page 3\n                    Recommendations 1 and 2: ..............................................Page 8\n\n          Taxpayers May Be Able to Overhear Personally Identifiable\n          Information Being Discussed by Assistors on Other Calls...........................Page 9\n                    Recommendation 3:........................................................Page 9\n\n          Adopting Industry Best Practices Could Improve the Customer Service\n          Experience, Reduce Operating Costs, and Increase the Number of Calls\n          Assistors Answered.......................................................................................Page 10\n                    Recommendation 4:........................................................Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 17\n          Appendix IV \xe2\x80\x93 Outcome Measures...............................................................Page 18\n          Appendix V \xe2\x80\x93 Authentication Requirements................................................Page 20\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 23\n\x0c        Telephone Authentication Practices Need Improvements\n              to Better Prevent Unauthorized Disclosures\n\n\n\n\n                    Abbreviations\n\nIRS           Internal Revenue Service\nTIGTA         Treasury Inspector General for Tax Administration\n\x0c                       Telephone Authentication Practices Need Improvements\n                             to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                            Background\n\nIn February 2009, the Federal Trade Commission reported that for the ninth year in a row\nidentity theft was the number one consumer complaint nationwide. 1 Identity theft occurs when\n  Personally Identifiable Information\n                                              someone uses Personally Identifiable Information,\n  includes an individual\xe2\x80\x99s:                   such as an individual\xe2\x80\x99s name, Social Security\n  \xe2\x80\xa2 Name.                                     Number, credit card numbers, or other account\n  \xe2\x80\xa2 Address.                                  information, to commit fraud and other crimes.\n  \xe2\x80\xa2 E-mail Address.                           The Internal Revenue Service (IRS) Office of\n  \xe2\x80\xa2 Social Security Number.                   Privacy, Information Protection, and Data\n  \xe2\x80\xa2 Telephone Number.                         Security defines Personally Identifiable\n  \xe2\x80\xa2 Bank Account Number.\n  \xe2\x80\xa2 Date and Place of Birth.\n                                              Information as any combination of information\n  \xe2\x80\xa2 Mother\xe2\x80\x99s Maiden Name.                     that can be used to uniquely identify, contact, or\n  \xe2\x80\xa2 Biometric Data (i.e., height, weight, eye locate a person and could subsequently be used\n      color, finger prints, etc.).            for identity theft.\n                                                 Telephone usage continues to be one of the\nprimary methods taxpayers use to communicate with the IRS. Millions of taxpayers call the IRS\ntoll-free telephone line (1-800-829-1040) every year seeking help with tax account questions.\nThese calls require that telephone assistors authenticate taxpayers before assisting them, for\nexample, when taxpayers call to inquire about the amount of their tax refunds or to discuss taxes\nowed on their accounts.\nInternal Revenue Code Section 6103 states that tax returns and return information shall be\nconfidential, except as authorized. The definition of tax return information includes a taxpayer\xe2\x80\x99s\nidentity and the nature, source, or amount of his or her income, payments, receipts, deductions,\nexemptions, credits, assets, liabilities, net worth, tax liability, and tax withheld.\nTwo prior Treasury Inspector General for Tax Administration (TIGTA) audit reports identified\nthat IRS assistors did not always comply with procedures for authenticating taxpayers\xe2\x80\x99\nidentities. 2 IRS guidelines require assistors to fully authenticate the caller as authorized to\nreceive the information before providing an answer to the taxpayer\xe2\x80\x99s question.\n\n\n\n1\n  Consumer Sentinel Network Data Book for January - December 2008, Federal Trade Commission, dated\nFebruary 2009.\n2\n  Toll-Free Account Assistance to Taxpayers Is Professional and Timely, and the Quality of Information Provided\nHas Improved (Reference Number 2005-40-018, dated December 15, 2004) and Toll-Free Account Assistance to\nTaxpayers Is Professional and Timely, but Improvement Is Needed in the Information Provided (Reference\nNumber 2004-40-057, dated February 27, 2004).\n                                                                                                          Page 1\n\x0c                    Telephone Authentication Practices Need Improvements\n                          to Better Prevent Unauthorized Disclosures\n\n\n\nIn addition, TIGTA\xe2\x80\x99s Office of Investigations has worked with other law enforcement\norganizations to address criminal activity using pretexting. Pretexting is an element of social\nengineering, the act of manipulating people into performing actions or divulging confidential\ninformation. Pretexting is the act of creating and using an invented scenario to persuade\nsomeone to release information. It is typically done over the telephone and most often involves\nsome prior research and the use of pieces of known Personally Identifiable Information, such as\ndate of birth or Social Security Number. According to the Federal Trade Commission, pretexting\ncan lead to identity theft.\nA recent case involved private investigators who were indicted on charges that they used illegal\nmethods, including identity theft, to illegally obtain\nPersonally Identifiable Information from the IRS,            Private investigators used illegal\nSocial Security Administration, and other agencies for       methods, including identity theft,\n***3(d)**********. From January 2004 to May 2007,              to illegally obtain Personally\nemployees from a private investigation company posed              Identifiable Information\n                                                                  from Federal agencies.\nas the people they were investigating to trick the targets\ninto releasing sensitive information (i.e., ***3(d)*****\n****3(d)***************** tax returns, and medical ***3(d)*** and selling this information to\nother private investigators, law firms, and others.\nThis review was performed at the Wage and Investment Division offices in Atlanta, Georgia,\nduring the period July through December 2009. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                         Page 2\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                       Results of Review\n\nAssistors Are Not Always Authenticating Taxpayers Who Call the\nInternal Revenue Service\xe2\x80\x99s Toll-Free Telephone Number for Tax\nAccount Information\nFrom our statistical sample of 180 contact recordings, 3 we determined that assistors did not\nproperly follow procedures when authenticating 29 (16 percent) callers, increasing the risk of\nunauthorized disclosures. Based on these results, the projected number of callers with increased\nrisk of unauthorized disclosures is 44,067 for 1 week.\n\nAssistors did not always follow guidelines when authenticating callers\nOf the 180 calls tested, assistors increased the risk of unauthorized disclosures for 29 calls.\n                                                \xe2\x80\xa2    9 assistors did not ask callers the 2 additional\nInternal guidelines instruct\nassistors to ask the following\n                                                     authentication probes (high-risk questions) when the\nquestions (probes) to authenticate                   situation required.\nthe caller before discussing any tax\naccount information:                            \xe2\x80\xa2    8 assistors did not ask callers all 5 required\n1. Taxpayer Identification Number.                   authentication questions.\n2. Name.                                        \xe2\x80\xa2    7 assistors did not authenticate callers for various\n3. Address.                                          other reasons. For example, assistors did not\n4. Date of Birth.                                    appropriately end the call when the caller continued\n5. Filing Status.                                    to incorrectly answer probing questions or the\nIf the caller does not answer correctly,             assistor was in doubt of the caller\xe2\x80\x99s identity.\nor answer all the questions, the\nassistor is required to ask two                 \xe2\x80\xa2\n                                     *********************1*******************\nadditional authentication questions,*****************************************\nreferred to as high-risk questions. *****************************************\n                                    *****************************************\n    **************************************************************************\n    **************************************************************************\n    ************************************************\n\n\n3\n  A contact recording captures the audio portion of the assistor/taxpayer interaction on the IRS\xe2\x80\x99 toll-free telephone\nlines and is synchronized with computer screen activity for replay and quality review. Some of the recordings also\ninclude a video of the computer screen activity. These contact recordings were from calls received from individual\ntaxpayers who called the IRS\xe2\x80\x99 1-800-829-1040 line during the week ending August 14, 2009.\n                                                                                                              Page 3\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n        \xe2\x80\xa2   2 assistors did not confirm whether the caller was physically present at the fax\n            machine when tax account information was being faxed or did not inform the caller of\n            the risk of disclosure when using a cell phone to discuss taxpayer information.\nInternal guidelines state that five probes are required to authenticate the caller, and in some cases\nadditional probes are required. 4 If the taxpayer\xe2\x80\x99s identification number and name do not match\nIRS records, 5 the assistor must not provide taxpayer information to the caller and should advise\nthe caller to call back with accurate information. If the caller incorrectly responds to one of the\nother three probes, the assistor is instructed to ask two or more high-risk questions.\nIn an attempt to provide good customer service and provide callers with the account information\nrequested, assistors at times asked multiple high-risk questions. Guidelines do not specify the\nmaximum number of questions to ask before the caller is authenticated. Instead, assistors are\ninstructed to use their discretion. However, there is a risk that this will lead to pretexting. For\nexample:\n    \xe2\x80\xa2   Callers answered multiple probes incorrectly so assistors kept asking questions until the\n        callers were able to finally answer two additional questions correctly.\n    \xe2\x80\xa2   Callers stated they did not know the answer to the question assistors asked, but suggested\n        another question in hopes they would be able to answer it correctly. The assistor then\n        asked the exact question suggested by the caller, the caller answered correctly, and the\n        assistor provided the account information requested.\n    \xe2\x80\xa2   Assistors asked callers to give their word that they were the person whose information\n        was on the IRS system.\nThe above situations open up the potential for providing information to potential identity thieves\nor impostors who use \xe2\x80\x9cpretexting\xe2\x80\x9d to illicitly obtain access to taxpayer information. The private\ninvestigators, who were indicted in the identity theft case referred to in the Background section,\nused this technique to gain taxpayer information. The greater the number of questions assistors\nask callers about their accounts, the more information the callers learn that can be used to\ndeduce the taxpayers\xe2\x80\x99 tax account information. With this information identity thieves can\ncontinue to call the IRS to gain access to taxpayer information. For example, generally with\nfour calls an identity thief can get enough information to deduce a taxpayer\xe2\x80\x99s filing status.\nAssistors who provide information to an individual without fully authenticating him or her\nincrease the risk that a taxpayer\xe2\x80\x99s Personally Identifiable Information will be disclosed to an\nunauthorized individual. Assistors are responsible for knowing with whom they are speaking\n\n\n4\n See Appendix V for the authentication instructions in detail.\n5\n The assistor accesses and verifies taxpayer data via the Integrated Data Retrieval System. The Integrated Data\nRetrieval System is the IRS computer system capable of retrieving or updating stored information; it works in\nconjunction with a taxpayer\xe2\x80\x99s account records.\n                                                                                                           Page 4\n\x0c                         Telephone Authentication Practices Need Improvements\n                               to Better Prevent Unauthorized Disclosures\n\n\n\nand the purpose of the call/contact. They must authenticate each caller as someone entitled to\nreceive information about a tax return or tax account. Only after authenticating the taxpayer or\nthird-party designee 6 should the assistor disclose information about the account to the caller.\nThe IRS currently uses the Centralized Quality Review System to measure quality including\nCustomer Accuracy. This process requires reviewers to listen to a statistical sample of contact\nrecordings to evaluate the contact. The IRS does not consider it a direct impact to the taxpayer\nwhen the assistor does not ask all the required identification probe questions or does not\ncorrectly complete the taxpayer authentication probe. Therefore, the IRS does not include this as\nan error in the calculation of Customer Accuracy and when reporting Customer Accuracy\nexternally to stakeholders. The IRS does include authentication errors in another quality\nmeasure reported internally.\nGuidelines do not require that assistors always ask high-risk questions when a caller\nincorrectly answers the required probes\nGuidelines state that if a caller\xe2\x80\x99s responses to either address or date of birth do not match the\nIRS\xe2\x80\x99 information, the assistor may ask high-risk questions to help authenticate the caller;\nhowever, the assistor is not required to ask additional questions. If the caller cannot provide the\ncorrect filing status used to file the return in question, the assistor must ask two or more\nadditional questions to authenticate the caller as someone eligible to receive information about\nthe account. Figure 1 shows assistors\xe2\x80\x99 requirements relating to the five required probes.\n                                       Figure 1: Five Required Probes\n\n       Taxpayer\n     Identification Name                Current Address             Filing Status               Date of Birth\n        Number\n     If the caller is unable to        If the caller fails to   If the caller cannot       If the caller fails the\n     provide either, advise            provide the correct      confirm filing status,     date of birth probe,\n     the caller to call back           address of record,       continue with date of      but correctly\n     when he or she has                but correctly            birth. The assistor        responds to all other\n     re-checked the taxpayer           responds to all of the   must also request          items, the assistor\n     name and Taxpayer                 other items, the         additional                 may request\n     Identification Number.            assistor may request     authentication.            additional\n     Terminate the call.               additional                                          authentication.\n                                       authentication.\n\n    Source: IRS internal guidelines.\n\n\n\n\n6\n A third-party designee acts as an authorized third-party contact for resolving certain issues related to the\nprocessing of a taxpayer\xe2\x80\x99s tax return or account.\n                                                                                                                Page 5\n\x0c                       Telephone Authentication Practices Need Improvements\n                             to Better Prevent Unauthorized Disclosures\n\n\n\nWe reported this issue in Fiscal Years 2004 and 2005. 7 In these two reports we recommended\nthat the IRS strengthen internal guidelines to ensure all required probes are asked and verified\nand that the assistors are required to go to the high-risk questions when information in the IRS\nsystems does not match the caller\xe2\x80\x99s information.\nThe IRS responded that guidelines provided a proper balance between protecting confidentiality\nand providing service without unnecessary burden. Further, the IRS stated assistors are given\ndiscretion because the data in its internal systems would not always match the information being\nprovided by the caller (i.e., address and date of birth) at the time of the call. The IRS receives\ndate of birth information from the Social Security Administration. The IRS did not revise its\ninternal guidelines and continues to allow the assistor discretion in asking additional high-risk\nauthentication probes.\nNevertheless, assistors are routinely asking the additional high-risk questions. For 80\n(44 percent) of the 180 calls, the assistors elected to ask callers high-risk questions. Social\nSecurity Administration authentication guidelines require assistors to ask high-risk\nauthentication probes if the caller incorrectly answers the date of birth question.\nThe IRS has a new IRS-wide Authentication Strategy and its vision is to promote data protection\nand enable ease of access to maintain public confidence and improve customer service. The\ngoals are to enhance an IRS-wide authentication internal control framework to address risk, deter\nfraudulent access, and institutionalize a common set of principles for authenticating taxpayers\nwhen contacting the IRS.\n\nAssistors are not effectively using the Accounts Management Service 8 to\nauthenticate taxpayers and control the calls\nFor 8 (38 percent) of 21 calls tested that included a video recording, the assistor did not\neffectively use the Accounts Management Service to facilitate the authentication process. It is\nrecommended that assistors use a job aid or tool in the Accounts Management Service to\nauthenticate callers. This tool allows assistors to type in a Social Security Number to obtain IRS\nrecords on the caller. The Accounts Management Service also provides a list of the required\nprobes and as the assistor asks each required question, they have been trained to check off each\nbox to confirm that the caller\xe2\x80\x99s answers match IRS\xe2\x80\x99 records. Figure 2 provides a screen display\nof one of the screens used by assistors to authenticate callers.\n\n\n\n7\n  Toll-Free Account Assistance to Taxpayers Is Professional and Timely, and the Quality of Information Provided\nHas Improved (Reference Number 2005-40-018, dated December 15, 2004) and Toll-Free Account Assistance to\nTaxpayers Is Professional and Timely, but Improvement Is Needed in the Information Provided (Reference\nNumber 2004-40-057, dated February 27, 2004).\n8\n  The Accounts Management Service is a computer-based system used to answer and resolve all taxpayer\naccount-related questions.\n                                                                                                          Page 6\n\x0c                     Telephone Authentication Practices Need Improvements\n                           to Better Prevent Unauthorized Disclosures\n\n\n\n             Figure 2: Accounts Management Service Disclosure Screen\n                      Used by Assistors to Authenticate Callers\n\n\n\n\n          Source: IRS training manual.\n\nFor these calls, assistors were observed checking off the disclosure data fields or\nthe \xe2\x80\x9cAuthorized\xe2\x80\x9d button on the Accounts Management Service Disclosure screen before asking\nthe required probes.\nIn addition, assistors did not appropriately control the authentication phase in 32 (18 percent) of\n180 calls. Guidelines clearly state that before assistors begin authenticating the caller, they are to\nfirst ask the purpose of the call to ensure they can provide assistance. Only after understanding\nthe purpose of the call and after determining if authentication is required are they to begin the\nauthentication process. This ensures they ask the probes without distractions. However, many\nassistors from the calls tested combined these two processes or allowed callers to interrupt during\nthe authentication process. In addition, assistors engaged in small talk during the authentication\nprocess.\nThese practices could cause the assistor to lose control of the call and be distracted when\nauthenticating the caller. This could also cause the assistor to lose track of how many of the\nrequired probes have been asked and cause the assistor to not properly authenticate the caller.\n\n\n\n\n                                                                                              Page 7\n\x0c                    Telephone Authentication Practices Need Improvements\n                          to Better Prevent Unauthorized Disclosures\n\n\n\nRecommendations\nThe Commissioner, Wage and Investment Division, should:\nRecommendation 1: Revise guidelines to require assistors to ask two additional high-risk\nprobes when callers incorrectly answer the address or date of birth probes.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation, stating that\n       revising the guidelines is unnecessary. Current guidelines require the taxpayer to answer\n       five authentication questions and provide assistors the latitude to ask additional questions\n       if there is any doubt about the taxpayer\xe2\x80\x99s identity. The guidelines also state that the\n       telephone assistor may request additional authentication if the address or date of birth\n       question is answered incorrectly. In addition, the authentication strategic approach\n       currently under development will further change the current authentication process.\n       The IRS stated that while there is no plan at this time to require two additional high-risk\n       probes when callers incorrectly answer the address or date of birth probes, the IRS will\n       ensure that training materials continue to emphasize that inadequate caller identity\n       authentication could result in an unauthorized disclosure.\n       Office of Audit Comment: We believe requiring assistors to ask two additional\n       high-risk probes when callers incorrectly answer the address or date of birth probes is\n       warranted to reduce the risk of an unauthorized disclosure. Our review of sample calls\n       showed that assistors are routinely asking additional high-risk questions. We believe\n       modifying existing guidelines to require the additional questions would not be considered\n       a burden considering the consequences of unauthorized disclosure on taxpayers.\nRecommendation 2: Emphasize during training that assistors should not prematurely\nauthenticate callers when using the Account Management Services. In addition, train assistors\non the importance of controlling calls.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       IRS stated that during its review of TIGTA\xe2\x80\x99s sample of calls, there were no instances\n       where unauthorized disclosure actually occurred due to the premature authentication of a\n       caller. In addition, use of an Integrated Automated Technology Disclosure Tool is now\n       mandatory. The tool includes all required authentication probes and provides the assistor\n       the ability to leave history notes related to authentication. Therefore, the possibility of\n       inadvertent disclosure is remote.\n       However, in keeping with the IRS\xe2\x80\x99 commitment to avoid even the remote possibility of\n       disclosure of taxpayer information, training materials will be updated to emphasize the\n       hazard of prematurely authenticating callers and bypassing the authentication tool. The\n       IRS currently focuses on the importance of utilizing the required authentication questions\n       and will continue to provide this training to telephone assistors.\n\n                                                                                             Page 8\n\x0c                    Telephone Authentication Practices Need Improvements\n                          to Better Prevent Unauthorized Disclosures\n\n\n\nTaxpayers May Be Able to Overhear Personally Identifiable\nInformation Being Discussed by Assistors on Other Calls\nTaxpayers who call the IRS toll-free telephone lines are at risk of having their Personally\nIdentifiable Information inadvertently overheard and disclosed during conversations with\n                             assistors. During our review of 48 (27 percent) of the 180 sampled\n                             calls, we were able to overhear other assistors discussing other\n                             callers\xe2\x80\x99 Personally Identifiable Information. For 10 calls\n                             (6 percent), we were able to clearly hear parts of conversations with\n                             other callers. For 38 calls (21 percent), other assistors\xe2\x80\x99 interactions\n                             with callers were overheard, but we could not clearly understand the\n                             conversations. This happened because assistors did not put callers\n                             on hold when they were researching the taxpayers\xe2\x80\x99 accounts. Also,\nthe physical layout of employee workstations at call centers allows other conversations to be\neasily overheard.\nFor 26 (14 percent) of the 180 calls, assistors repeated the Social Security Number back to the\ncaller on the telephone. This puts the IRS at risk for disclosing Personally Identifiable\nInformation. We recognize that assistors often have valid reasons to confirm the information\nprovided by callers. However, the practice of assistors repeating Personally Identifiable\nInformation increases the risk of inadvertent unauthorized disclosures because background\nconversations can be heard by other callers. Internal guidelines do not specifically prohibit this\nbehavior; however, a better practice would be for assistors to ask callers to restate information\nneeded. Taxpayers need to be assured that the IRS is taking every precaution to protect their\nprivate information from inadvertent disclosure.\n\nRecommendation\nRecommendation 3: The Commissioner, Wage and Investment Division, should emphasize\nduring training that assistors place callers on hold while conducting research. Guidelines should\nbe developed that require assistors to ask callers to repeat Personally Identifiable Information if\nclarification is needed (e.g., Social Security Numbers). In addition, if there is a need for\nan assistor to repeat information back to the caller, the information should be limited to only\npartial information, for example, the numbers of the caller\xe2\x80\x99s street address.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It already\n       provides extensive training on telephone communication skills, including training\n       specifically on proper use of hold procedures and on conducting thorough authentication\n       interviews. During training, it will continue to emphasize the use of placing calls on\n       hold, when appropriate, as the level of research varies with each call (i.e., if minimal\n       research is required, there is no need to place the caller on hold). Guidelines and training\n       material will be modified to instruct assistors to ask the caller to repeat Personally\n\n                                                                                             Page 9\n\x0c                    Telephone Authentication Practices Need Improvements\n                          to Better Prevent Unauthorized Disclosures\n\n\n\n       Identifiable Information rather than having the assistor repeat the information back to the\n       caller. The IRS will develop guidelines and training that instruct the assistor to repeat\n       only partial information back to the caller when the assistor determines it is necessary to\n       repeat information.\n\nAdopting Industry Best Practices Could Improve the Customer\nService Experience, Reduce Operating Costs, and Increase the\nNumber of Calls Assistors Answered\nThe IRS is committed to providing top-quality service to taxpayers. The quality of service\nprovided to taxpayers remains among the major management challenges the IRS is facing. One\nof the IRS\xe2\x80\x99 major strategies in the IRS\xe2\x80\x99 Fiscal Year 2009\xe2\x80\x932013 Strategic Plan is to seek\ninnovative ways to simplify or eliminate processes that unnecessarily burden taxpayers or\nresources. The aim is to provide prompt and accurate responses to all requests for assistance.\nThe IRS\xe2\x80\x99 goal is to make its toll-free telephone operation a \xe2\x80\x9cworld-class customer service\norganization\xe2\x80\x9d that provides taxpayers with accessible and accurate tax assistance.\n\nAuthentication questions asked by IRS assistors are consistent with other\nFederal and State Government agencies\nCallers to the IRS toll free account lines are required to answer at least five but as many as seven\nquestions before the assistor can discuss account information. This requirement is consistent\nwith those of Federal and State Government agencies contacted during this review. Auditors\nheld discussions with representatives from the Social Security Administration, the Department of\nVeterans Affairs, and the States of California and Georgia to evaluate the agencies authentication\nrequirements and identify best practices. Except for the Social Security Administration and the\nDepartment of Veterans Affairs, agencies require callers to provide their name, address, and\nSocial Security Number, and require assistors to ask high-risk questions. Assistors at the\nDepartment of Veterans Affairs ask callers for the military service branch they served under\ninstead of their address. Figure 3 shows the authentication questions asked by assistors for select\nFederal and State Government agencies.\n\n\n\n\n                                                                                            Page 10\n\x0c                       Telephone Authentication Practices Need Improvements\n                             to Better Prevent Unauthorized Disclosures\n\n\n\n                  Figure 3: Authentication Questions Asked by Assistors\n                     for Select Federal and State Government Agencies\n\nCallers Are Asked to         Internal\n                                             Social Security        Department of      State of    State of\nAuthenticate the             Revenue\n                                             Administration        Veterans Affairs   California   Georgia\nFollowing:                   Service\nName                             X                   X                       X            X           X\nAddress                          X                                                        X           X\nSocial Security\n                                 X                   X                       X            X           X\nNumber\nDate of Birth                    X                   X\nFiling Status                    X\nMother\xe2\x80\x99s Maiden\n                                                     X\nName\nPlace of Birth                                       X\nBranch of Military\n                                                                             X\nService\nHigh-Risk Questions              X                   X                       X            X           X\nSource: TIGTA auditors\xe2\x80\x99 discussions with the selected government agencies.\n\nReducing the number of times callers are authenticated could improve the\ncustomer service experience\nTaxpayers asking for account assistance must be authenticated each time they are transferred to a\ndifferent assistor. Callers are routinely transferred because they have additional questions the\nassistor may not be trained to answer. During Fiscal Year 2009, 1,019,170 calls were\ntransferred.\nThe IRS has a future strategy called Authentication Retention to reduce the number of times a\ncaller is authenticated. It will enable automatic identification over the telephone for\naccount-related callers by verification of specific shared secrets. Authentication Retention will\nincrease taxpayer value through ease in authentication and lack of repetition, as a caller\xe2\x80\x99s\nauthentication information and contact history is made readily available to each assistor who\nprovides help to the caller. Reducing the number of times an assistor has to authenticate callers\ndecreases the risk of unauthorized disclosures and taxpayer burden. While only a few callers\ncomplained about having to answer so many questions, having to answer the same questions\nmultiple times may be considered excessive.\n\n\n\n\n                                                                                                   Page 11\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n\nAuthenticating callers while they wait to speak to an assistor could further reduce\ntaxpayer burden and authentication errors\nFor Fiscal Year 2009, the average amount of time callers waited to speak with an assistor was\napproximately 10 minutes. While waiting, callers generally hear music or informational\nannouncements.\nThe Social Security Administration authenticates callers using an automated system made up of\nvoice recognition and/or touch tone actions that captures the caller\xe2\x80\x99s responses. The caller is\nasked: 1) first and last name, 2) place of birth, 3) date of birth, 4) mother\xe2\x80\x99s maiden name, and\n5) Social Security Number. The responses are automatically populated to the assistor\xe2\x80\x99s computer\nscreen for verification. If verified, the assistor is able to immediately help the caller with his or\nher issue. If incorrect or if the caller does not answer all five questions, the assistor is instructed\nto ask additional probing questions to authenticate the caller.\nSeveral of the technological components required for Authentication Retention could be used for\nauthenticating callers in the queue. Managers at the Social\nSecurity Administration stated that the ability to\nauthenticate callers while they wait in the queue allows         Authenticating callers while\n                                                               they wait in the queue to talk to\nassistors to immediately address issues, answer more calls,       an assistor saves time and\nand reduce customer burden. Further, authenticating callers          increases accuracy.\nwhile they wait in the queue saves time and increases\naccuracy. The IRS estimates that assistors spend\napproximately 1 minute per call authenticating the caller.\nAuthenticating callers in the queue also increases the number of calls the IRS can answer. This\nis especially important because as the IRS answers more calls, the Level of Service91 provided to\ntaxpayers increases. Using results from our statistical sample, if 50 percent of the callers were\nauthenticated while waiting to speak to an assistor, the IRS could save 136,654 minutes of\nassistor time, or 2,278 hours per week. The projected 5-year (Fiscal Years 2010 through 2014)\nproductivity gain from authenticating callers while they wait to speak with an assistor would\nequal 496 Full-Time Equivalents,102 or approximately $30 million. During Fiscal Year 2009, the\naverage amount of time assistors spent on the telephone assisting callers was more than\n11 minutes.113 The IRS could also increase productivity by answering 1,180,306 additional calls\n\n\n\n\n9\n  The Level of Service is the IRS\xe2\x80\x99 primary measure of providing taxpayer with access to a live assistor.\n10\n   A measure of labor hours in which 1 Full-Time Equivalent is equal to 8 hours multiplied by the number of\ncompensable days in a particular fiscal year. For Fiscal Year 2009, 1 Full-Time Equivalent was equal to 2,088 staff\nhours. See Appendix IV for details.\n11\n   Average amount of time assistor spent assisting caller calculated as follows: The Average Handle Time for Fiscal\nYear 2009 individual taxpayer account calls is 690 seconds, 690/60 seconds = 11.5 minutes.\n                                                                                                          Page 12\n\x0c                       Telephone Authentication Practices Need Improvements\n                             to Better Prevent Unauthorized Disclosures\n\n\n\nper year124 because assistors would spend approximately 1 minute less talking with callers\nbecause the reason they called could be immediately addressed as soon as the call is answered.\nFinally, using an automatic system to authenticate taxpayers would eliminate many of the\nconcerns identified in this audit and reduce employee authentication errors. All five probes\nwould be consistently asked. Assistors would have to ask only the high-risk questions, if any at\nall, and would be able to focus on the customer\xe2\x80\x99s request.\n\nRecommendation\nRecommendation 4: The Commissioner, Wage and Investment Division, should incorporate\navailable technology to authenticate callers in the queue as part of the development of\nAuthentication Retention.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. It will submit\n        a Unified Work Request by January 15, 2011, to incorporate available technology to\n        authenticate callers prior to their reaching an assistor. The requested action will be\n        subject to funding and resource prioritization.\n        Office of Audit Comment: The IRS did not agree with our outcome measure related\n        to this recommendation because it believes that the measure does not consider the cost to\n        develop and operate the Authentication Retention system. We agree that there would be\n        additional costs to develop and operate the Authentication Retention system. However,\n        these costs have not been quantified and the IRS did not provide its own estimate in its\n        response. Notwithstanding, we believe this outcome measure shows the degree to which\n        the Authentication Retention system will improve the efficient use of existing staff\n        resources based on the average volume of calls during the stated 3-year period.\n\n\n\n\n12\n  The following data were used to calculate 1,180,306 additional calls per year: The average number of individual\naccount calls for Fiscal Years 2007 through 2009 equals 24,786,428 multiplied by 50 percent of callers that would\nbe authenticated while they wait to speak with an assistor (24,786,428 X .50 = 12,393,214). We divided the number\nof callers authenticated while they wait, 12,393,214, by the average number of minutes assistors spend assisting\ncallers, 10.5 minutes (12,393,214/10.5 = 1,180,306). The 10.5 minutes were calculated by taking the 11.5 minutes\nthe IRS stated its assistors spend with callers on account calls less the 1 minute spent authenticating callers.\n                                                                                                        Page 13\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n                                                                                                    Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nOur overall objective was to evaluate the controls over the authentication of taxpayers who call\ntoll-free telephone numbers to determine whether current procedures to authenticate these\ntaxpayers reduce the risk of unauthorized disclosure of taxpayer Personally Identifiable\nInformation. To accomplish this we objective, we:\nI.       Determined previous concerns and what actions were taken to correct them by researching\n         prior taxpayer authentication issues and previously reported control breakdowns.\n         A. Contacted the TIGTA Office of Investigations to obtain information on any open or\n            closed investigations related to unauthorized disclosure or identity theft related to\n            taxpayer authentication from the toll-free telephone lines.\n         B. Obtained and reviewed prior audit reports on telephone authentication.\nII.      Determined whether IRS policies and controls for processing taxpayer requests for tax\n         account information are sufficient.\n         A. Evaluated the internal control environment and identified risks related to responding\n            to taxpayers\xe2\x80\x99 telephone contact regarding tax account information by researching\n            internal guidelines and training materials and interviewing appropriate IRS personnel.\n         B. Contacted IRS functional offices to evaluate internal initiatives to improve existing\n            authentication methods, including internal evaluation or adoption of new\n            authentication methods and technologies.\n         C. Reviewed the quality review process and quality reports to identify disclosure\n            accuracy trends and evaluated how this information is used to increase authentication\n            accuracy rates and reduce the risk of unauthorized disclosure.\nIII.     Determined whether employees adhered to authentication guidelines.\n         A. Selected a statistical sample of 180 contact recordings 1 from the 273,308 contact\n\n\n\n\n1\n  A contact recording captures the audio portion of the assistor/taxpayer interaction on the IRS\xe2\x80\x99 toll-free telephone\nlines and is synchronized with computer screen activity for replay and quality review. Some of the recordings also\ninclude a video of the computer screen activity. These contact recordings were from calls received from individual\ntaxpayers who called the IRS\xe2\x80\x99 1-800-829-1040 line during the week ending August 14, 2009.\n                                                                                                             Page 14\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n             recordings list for Applications 20 and 21 2 for the week ending August 14, 2009. We\n             used a 95 percent confidence level, 6 percent precision rate, and 20 percent error rate.\n             The error rate was based on our survey results. We validated our sample by\n             confirming assistors accessed taxpayers\xe2\x80\x99 accounts while providing assistance.\n         B. From the statistical sample, determined whether employees asked the required probes\n            to authenticate the caller.\nIV.      Contacted Federal and State Government agencies to identify toll-free authentication\n         controls and best practices.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS\xe2\x80\x99 policies, procedures, and\npractices over the authentication of taxpayers who call toll-free telephone numbers. We\nevaluated these controls by assessing the internal control environment, interviewing\nmanagement, and reviewing a sample of contact recordings.\n\n\n\n\n2\n  The toll-free telephone assistance lines are subdivided into categories called \xe2\x80\x9capplications,\xe2\x80\x9d each of which is\nstaffed with a group of assistors who have received specialized training to assist taxpayers with specific tax issues.\nApplications 20 and 21 are devoted to assistors answering taxpayer questions involving tax account conditions such\nas refunds, balance-due billing activity, and changes to the amount of tax owed.\n                                                                                                             Page 15\n\x0c                   Telephone Authentication Practices Need Improvements\n                         to Better Prevent Unauthorized Disclosures\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nMichael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\nServices)\nAugusta R. Cook, Director\nFrank Jones, Audit Manager\nWilma Figueroa, Acting Audit Manager\nGeraldine Vaughn, Lead Auditor\nKenneth Carlson, Senior Auditor\nJerome Antoine, Auditor\n\n\n\n\n                                                                                    Page 16\n\x0c                  Telephone Authentication Practices Need Improvements\n                        to Better Prevent Unauthorized Disclosures\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nChief Financial Officer OS:CFO\nDeputy Commissioner, Wage and Investment Division SE:W\nDirector, Customer Account Services, Wage and Investment Division SE:W:CAS\nDirector, Strategy and Finance, Wage and Investment Division SE:W:S\nDirector, Accounts Management, Wage and Investment Division SE:W:CAS:AM\nDirector, Joint Operations Center, Wage and Investment Division SE:W:CAS:JOC\nChief, Performance Evaluation and Improvement, Wage and Investment Division\nSE:W:S:PRA:PEI\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division\nSE:W:S:PRA:PEI\n\n\n\n\n                                                                                   Page 17\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\n                                                                                                  Appendix IV\n\n                                     Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Taxpayer Privacy and Security \xe2\x80\x93 Potential; 44,067 taxpayers with increased risk of\n    unauthorized disclosures (see page 3). The outcome relates to the number of callers who\n    were at risk of having Personally Identifiable Information or tax information disclosed\n    without authorization during a 1-week period.\n\nMethodology Used to Measure the Reported Benefit:\nOur test results showed assistors did not properly authenticate 29 (16 percent) callers from our\nstatistical sample of 180 contact recordings. 1 The sampling error is \xc2\xb1 6 percent with a 95 percent\nconfidence level and a 20 percent error rate that the number of callers who were at risk of\nunauthorized disclosure ranged from 28,768 to 59,366 for the week of August 14, 2009.\nWe computed the number of callers who were at risk of unauthorized disclosure by multiplying\nthe number of account contact recording segments for the week of August 14, 2009, in\napplications 20 and 21 by the error rate identified from our observation of contact recordings.\nThe following factors were used to calculate potential savings:\n\xe2\x80\xa2   Total volume of account contact recording segments during the week of August 14, 2009 =\n    273,308.\n\xe2\x80\xa2   The percentage of calls observed where assistors did not properly authenticate the caller\n    = 16 percent.\nProjected number of callers at risk of unauthorized disclosure\n273,308 x 16 percent = 44,067. 2\n\n\n\n1\n  A contact recording captures the audio portion of the assistor/taxpayer interaction on the IRS\xe2\x80\x99 toll-free telephone\nlines and is synchronized with computer screen activity for replay and quality review. Some of the recordings also\ninclude a video of the computer screen activity. These contact recordings were from calls received from individual\ntaxpayers who called the IRS\xe2\x80\x99 1-800-829-1040 line during the week ending August 14, 2009.\n2\n  Due to rounding, the figures may not always equal the totals presented in the report.\n                                                                                                             Page 18\n\x0c                        Telephone Authentication Practices Need Improvements\n                              to Better Prevent Unauthorized Disclosures\n\n\n\nType and Value of Outcome Measure:\nInefficient Use of Resources \xe2\x80\x93 Potential; $30,310,560 (see page 9). The outcome includes the\nprojected increased productivity equal to 496 3 Full-Time Equivalents 4 for Fiscal Years 2010\nthrough 2014 by eliminating the estimated 1 minute of time assistors spend authenticating callers\nto IRS toll-free account telephone lines.\n\nMethodology Used to Measure the Reported Benefit:\nOur test results showed the IRS estimates that assistors spend approximately 1 minute per call\nauthenticating callers to toll-free account telephone lines. Use of an automated process would\nreduce the labor required to authenticate callers. The following factors were used to calculate\npotential savings:\n\xe2\x80\xa2   Average volume of account calls received during a three Fiscal Year period, 2007 through\n    2009 = 24,786,428.\n\xe2\x80\xa2   The estimated time to authenticate callers = 1 minute.\n\xe2\x80\xa2   The estimated percentage of calls where the caller will correctly answer the authentication\n    probes and not require the assistor to complete additional authentication steps = 50 percent.\n\xe2\x80\xa2   The estimated average salary for an assistor = $61,110.\nTotal estimated time assistors will save per year by authenticating callers while they wait to\nspeak with an assistor.\n\xe2\x80\xa2   24,786,428 calls x 50 percent x 1 minute = 12,393,214 minutes.\n\xe2\x80\xa2   12,393,214 / 60 minutes = 206,554 hours.\nTotal estimated annual savings assistors will save by authenticating callers while they wait to\nspeak with an assistor.\n    \xe2\x80\xa2   206,554 / 2,088 hours per Full-Time Equivalent = 99 Full-Time Equivalents.\nProjected inefficient use of resources in Full-Time Equivalents over 5 years\n99 Full-Time Equivalents x 5 years = 496 Full-Time Equivalents.\nProjected inefficient labor costs from Full-Time Equivalents over 5 years\n496 Full-Time Equivalents x $61,110 = $30,310,560.\n\n\n3\n Due to rounding, the figures may not always equal the totals presented in the report.\n4\n A measure of labor hours in which 1 Full-Time Equivalent is equal to 8 hours multiplied by the number of\ncompensable days in a particular fiscal year. For Fiscal Year 2009, 1 Full-Time Equivalent was equal to 2,088 staff\nhours.\n                                                                                                          Page 19\n\x0c                           Telephone Authentication Practices Need Improvements\n                                 to Better Prevent Unauthorized Disclosures\n\n\n\n                                                                                                     Appendix V\n\n                             Authentication Requirements\n\nThe following details the authentication requirements for telephone assistors who answer calls\nabout individual taxpayer accounts.\n1. For purposes of identification and to prevent unauthorized disclosures of tax information,\n   you must know with whom you are speaking, complete name and title, and the purpose of the\n   call/contact.\n       CAUTION: Inadequate authentication of the identity of a caller could result in an\n       \xe2\x80\x9cunauthorized disclosure\xe2\x80\x9d of return or return information. If an IRS employee makes a\n       knowing or negligent unauthorized disclosure, the United States may be liable for damages in\n       a civil cause of action. If an IRS employee makes a voluntary, intentional disclosure, the\n       employee may be subject to criminal penalties including a fine, imprisonment, and loss of\n       employment.\n2. When you determine that the person with whom you are speaking is being coached with the\n   answers to the disclosure probes, you must verify if the caller is the taxpayer or someone\n   else. Once you have determined that the caller is not the taxpayer, you must complete the\n   required disclosure probes with the taxpayer and then secure verbal consent from the\n   taxpayer to discuss the matter with the third party. IRS employees are authorized to accept a\n   taxpayer\xe2\x80\x99s verbal consent to disclose return information to parties assisting the taxpayer in\n   resolving a tax matter.\n3. Required Individual Master File 1 authentication probes:\n        a. Taxpayer Identification Number - If the taxpayer is inquiring about a jointly filed return,\n           only one Taxpayer Identification Number is necessary, preferably the primary number.\n           The secondary Taxpayer Identification Number may be required if the primary is\n           unavailable or for use as an additional authentication check.\n        b. Name - as it appears on the tax return (for the tax year(s) in question), including spouse\xe2\x80\x99s\n           name for a joint return.\n           NOTE: If the caller is unable to provide \xe2\x80\x9ca\xe2\x80\x9d and \xe2\x80\x9cb\xe2\x80\x9d above, advise the caller to call\n           back when he or she has re-checked the taxpayer name and Taxpayer Identification\n           Number. Terminate the call.\n\n\n\n1\n    The Individual Master File is the IRS database that maintains transactions or records of individual tax accounts.\n                                                                                                               Page 20\n\x0c                  Telephone Authentication Practices Need Improvements\n                        to Better Prevent Unauthorized Disclosures\n\n\n\n c. Current address - If taxpayer fails to provide the correct address of record, but correctly\n    responds to all of the other items, you may request additional taxpayer authentication\n    pursuant to Additional Taxpayer Authentication.\n    NOTE: If you are unable to verify the address on the Integrated Data Retrieval System,\n    request the address as it appears on the last tax return or as modified by IRS records.\n d. Filing status used on the return(s) in question (e.g., amended return, original return). If\n    the taxpayer cannot confirm filing status or, if the taxpayer is inquiring about an account\n    issue that does not need filing status confirmation, continue with paragraph (e) below.\n    You must also follow the procedures outlined in Additional Taxpayer Authentication.\n    CAUTION: If the caller is inquiring about multiple tax years, you must be certain that\n    the individual is a party to each tax year in question and is entitled to receive information\n    on each tax year.\n    NOTE: When the caller is inquiring about an amended return that has not yet posted, the\n    filing status on the related original return must be provided. If the amended return for\n    which the individual is inquiring has posted, the caller must provide the filing status on\n    the posted amended return.\n e. Date of birth of primary or secondary taxpayer - If the taxpayer fails the date of birth\n    probe, but correctly responds to all other items above (name, Taxpayer Identification\n    Number, address, and filing status), you may request additional taxpayer authentication\n    pursuant to Additional Taxpayer Authentication.\n    NOTE: If there is a discrepancy with the date of birth on IRS records but you are\n    confident (taxpayer has passed authentication requirements) that you are speaking with\n    the taxpayer, advise the taxpayer to contact the Social Security Administration at\n    1-800-772-1213 to correct the error.\nAdditional Taxpayer Authentication\n 1. For other conditions in which additional authentication is warranted, using the list below,\n    verify two or more additional items from the taxpayer\xe2\x80\x99s return or account:\n     \xe2\x80\xa2   Spouse\xe2\x80\x99s date of birth.\n     \xe2\x80\xa2   Child\xe2\x80\x99s/children\xe2\x80\x99s date(s) of birth.\n     \xe2\x80\xa2   Amount of income reported on last return or tax due on return.\n     \xe2\x80\xa2   Employers shown on taxpayer\xe2\x80\x99s Wage and Tax Statement (Form W-2).\n     \xe2\x80\xa2   Financial institutions from taxpayer\xe2\x80\x99s Information Returns [Interest Income\n         (Form 1099-INT) or Dividends and Distributions (Form 1099-DIV)].\n\n\n                                                                                         Page 21\n\x0c             Telephone Authentication Practices Need Improvements\n                   to Better Prevent Unauthorized Disclosures\n\n\n\n\xe2\x80\xa2   Number of exemptions claimed on last return or on return in question.\n\xe2\x80\xa2   Preparer, paid/unpaid, if any.\n\xe2\x80\xa2   Expected refund amount (within $100) unless computed by the IRS.\n\xe2\x80\xa2   Any other verifiable items from the return/account.\n\n\n\n\n                                                                            Page 22\n\x0c      Telephone Authentication Practices Need Improvements\n            to Better Prevent Unauthorized Disclosures\n\n\n\n                                                  Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 23\n\x0cTelephone Authentication Practices Need Improvements\n      to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                                  Page 24\n\x0cTelephone Authentication Practices Need Improvements\n      to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                                  Page 25\n\x0cTelephone Authentication Practices Need Improvements\n      to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                                  Page 26\n\x0cTelephone Authentication Practices Need Improvements\n      to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                                  Page 27\n\x0cTelephone Authentication Practices Need Improvements\n      to Better Prevent Unauthorized Disclosures\n\n\n\n\n                                                  Page 28\n\x0c'